Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Roles and Users

Deploying an Access Control policy, to manage access to management components is crucial for effective protection. Use the principle of least privilege, providing the minimal privilege needed for a specific operation. An attacker who gains high-privilege access to backup infrastructure servers can obtain credentials for user accounts and compromise other systems in your environment. Ensure that all accounts have specific roles and are added to the appropriate group.

Enforce containment to impede attackers from moving around too easily. Implement standard measures and policies:

  • Avoid using user accounts for admin access to reduce incidents and accidents.
  • Assign each Veeam admin their own admin account for traceability and easy addition and removal.
  • Grant access only to what is necessary for the job.
  • Strictly limit users who can log in using Veeam Backup for Microsoft 365 Console and the Explorers
  • Add 2-factor authentication for highly valuable assets
  • Monitor accounts for suspicious activity

Anonymization

Many companies adhere to best practices by employing dedicated accounts for administrators to perform privileged tasks, separate from their user accounts used for regular office duties. These accounts are often prefixed with “adm_,” which, while convenient, can aid attackers in identifying privileged accounts. Consider reserving “adm_” accounts for honeypot users only and adopt an alternative strategy for actual admin accounts. Using identifiers other than a user’s name, such as random or unrelated strings, can introduce complexity, making it more challenging for attackers to identify privileged accounts and slowing down their progress.

Password management policy

Implementing an effective Password Management Policy tailored to your organization is essential. Enforcing the use of strong passwords across your infrastructure adds a valuable layer of control, making it more challenging for attackers to guess passwords or crack hashes and gain unauthorized access to critical systems.

For user accounts, consider passwords with a minimum of 10 characters, incorporating a mix of upper and lowercase letters, numbers, and special characters. Ensure that default accounts and passwords have been modified on all assets. For Admin accounts, adding 2-factor authentication is imperative to enhance infrastructure security.

When dealing with service accounts, use passwords with 25+ characters and leverage a password tool for easier management. Admins can then copy and paste the password when needed, boosting the security of service accounts. Ensure that the password tool and database are available from a recovery site in case of a disaster. Keep recent backups of your password tool and database on air-gapped media, such as DVD, CD-ROM, or tape. Pay special attention to the Veeam Repository password, crucial for restoring backup content.

Lockout policy

Implement a Lockout Policy that complements the password management strategy. Accounts should be locked after a small number of incorrect attempts, effectively thwarting password-guessing attacks. However, exercise caution, as this may result in locking everyone out of the backup system for a period. For service accounts, consider raising alarms quickly instead of locking the accounts, providing visibility into suspicious behavior towards your data and infrastructure.

Required Permissions

Adopt the principle of least privilege by providing minimal permissions necessary for accounts to function.

Notes:

  • The accounts used for using Veeam Backup for Microsoft 365 must have the permissions detailed in user’s guide.

Back to top

Copyright © 2019-2023 Solutions Architects, Veeam Software.

Page last modified: 2024-02-06.